We develop a decision-support framework for cyber risk mitigation policies from the perspective of an organization with limited resources for security controls, upgrades, and cyber insurance. To balance the conflicting optimization objectives of the organization and the insurer, we propose a bi-level model that endogenously derives optimal strategies for both parties, accounting for key uncertainties underlying a cyber attack. We find that cyber insurance coverage increases with premium size, though this depends on the effectiveness of system upgrades. Notably, the latter has an ambiguous impact on the equilibrium budget allocation strategy and insurance contract design, such that a more effective upgrade need not attract a commensurately larger budget allocation. We further show that information asymmetry regarding the insurer’s risk aversion can lead the defender to a suboptimal budget allocation, resulting in higher realized losses relative to the symmetric-information benchmark.
